We have SCCM 2012 R2 (with CU3 applied) running in our production domain with a single SCCM site. It is used to deploy MS patches, Applications and Windows 7 OS. It can deploy to our PROD domain and three other domains in different forests. One is a trusted domain and the other two are untrusted test domains (no firewalls present). All are working fine.
We now wish to deploy only MS Patches into another untrusted firewalled domain in a DMZ but can't make the DMZ clients see the DMZ SUP/WSUS server.
DMZ contains about 40 servers, there are no external "Internet clients"' In an effort to reduce the number of clients communicating through the firewall, we installed a new site server in the DMZ which is a member of the DMZ domain. Created Boundary Groups. We opened the required firewall ports between PROD and DMZ SCCM servers. The DMZ domain was discovered ok and we can publish to the DMZ SMS AD container. The following roles were installed on the DMZ SCCM server:
- Component Server
- Site System
- Distribution Point
- Management Point
- Fallback Status Point
- Software Update Point (and WSUS)
I manually installed the SCCM clients on the DMZ servers. DMZ servers appear in the correct Device Collections. However, looking at the LocationServices, WUAHandler and WindowsUpdate logs, all of the servers are trying to contact the WSUS or Catalogue server in Production which is not allowed by the firewall.
Is there any way to force the DMZ servers to use the local DMZ SUP/WSUS server? Is this even possible? Can I have two SUP's in a single site, where one of the SUPS is actually a member of an untrusted/firewalled forest?
Thanks in advance for any suggestions.